KR20180061315A - Preventing attacks from false base stations - Google Patents

Abstract

Embodiments provide a user equipment (UE) device including a memory and a processor configured to execute instructions stored in the memory. The processor is configured by the instruction to receive a first Evolved Packet System (EPS) mobility management (EMM) access refusal message in response to an attempt to connect to the first eNode B (eNB) of the radio access network (RAN). If the connection reject message contains an Evolved Packet System Mobility Management (EMM) error code, the processor sends a connection request to the second acknowledgment eNB. The processor is configured by the instruction to receive a second connection rejection message from the second eNB and enter a lock state only in a condition that the second connection reject message also includes an EMM error code, Rejection message.

Description

Preventing attacks from false base stations

The present invention relates generally to the field of wireless communications and more specifically, but not exclusively, to methods and apparatus for authentication and key negotiation of mobile phone devices.

This section introduces items that can help to better understand the present invention. Therefore, the description of this section should be understood in this regard and should not be understood as belonging to the prior art or as an acknowledgment of not belonging to the prior art. Any technology or method described herein as present or possible is presented as a background to the invention, but these techniques and methods have not so far been commercialized or recognized as being known to anyone but the inventor.

In a UMTS terrestrial radio access network (UTRAN) network, a user equipment (UE) device typically connects to an eNode B (eNB) access node. For example, in the connection process described by 3GPP TS 24.301, the UE sends an access request message to the eNB. The eNB may return a message indicating that the request has been granted, or in some circumstances may return a message rejecting the request, and the message contains an evolved packet system (EPS) mobility management (EMM) cause value.

The present inventors disclose various devices and methods that can be advantageously applied, for example, to a mobile communication network, for example, a communication network, based on the 3GPP Long Term Evolution (LTE) standard suite. Such an embodiment may be expected to provide an improvement in the performance and / or security of such an apparatus and method, but is not necessarily a requirement of the invention, unless explicitly stated in a particular claim.

One embodiment provides a device, e.g., a user equipment (UE) device, such as a mobile handset, including a processor and a memory coupled to the processor. The processor is configured to execute instructions stored in memory that, when executed, configure the processor to perform various steps to improve security, for example, by protecting against a fake eNB. The processor is configured by the instruction to receive an EMM Connection Reject message in response to an attempt to connect to a Radio Access Network (RAN). Under the condition that the connection reject message includes an EMM error code, the processor is also configured to send a connection request to the acknowledgment eNB.

In some embodiments, the processor is also configured to receive a connection rejection message from acknowledgment eNodeB. Under the condition that the connection reject message contains an EMM error code, the processor is configured to be in a locked state. In some embodiments, the EMM error code includes one of EMM cause value # 3 (illegal UE), # 6 (illegal ME), and # 8 (unlicensed EPS service and non EPS service). In some embodiments, the processor is also configured to, after receiving the EMM error code, block access to the initial eNB that received the EMM error code.

In some embodiments, the processor is further configured to receive a connection rejection message from the acknowledgment eNB, wherein the processor is further configured to receive an EMR error code from the first eNB, and stops sending the connection request to the eNB. In some embodiments, the acknowledgment eNB is a first acknowledgment eNB, and the processor is also configured to send a connection request to the second acknowledgment eNB after ceasing to send a message to all eNBs in the first tracking domain.

In some embodiments, the acknowledgment eNB is a first acknowledgment eNB and the processor is also configured to send a connection request to the second acknowledgment eNB, provided that the first acknowledgment eNB is in the same tracking region as the initial eNB. The processor is also configured to be locked, provided that the connection reject message from the second acknowledgment eNB contains an EMM error code. In some such embodiments, the processor is also configured to be in a locked state only on the condition that the second acknowledged eNB is in a second tracking region that is different from the tracking region of the initial eNB from which the EMM error code is received.

Another embodiment includes configuring a processor of a UE device in communication with a memory, for example. The processor is also configured to execute instructions on the memory that, when executed, configure the processor to implement one or more of the embodiments described above.

Another embodiment includes configuring a memory of a UE device that communicates locally with the processor, for example. The memory is configured to provide instructions to the processor to configure the processor to implement one or more of the embodiments described above when executed by the processor.

A more complete understanding of the present invention may be obtained by reference to the following detailed description in conjunction with the accompanying drawings, in which:
1 shows an example wireless network including a user equipment (UE) device, three eNB access points and a false (e.g., malicious) eNB.
FIG. 2 illustrates an embodiment of a UE device configured in accordance with various embodiments, for example, operating in the wireless network of FIG. 1, for example.
3 illustrates prior art operations of a UE, an eNB, a Mobility Management Entity (MME), and a Home Subscriber Server (HSS).
FIG. 4 shows an example of how a false (malicious) eNB may operate so that a conventional UE is locked after attempting to connect to a false eNB.
FIG. 5 illustrates an operational embodiment of the UE of FIG. 2 in accordance with various embodiments for interacting with components of a UMTS Terrestrial Radio Access Network (UTRAN), for example, to prevent spoofing of a UE by a malicious eNB. do.
FIG. 6 illustrates an operational flow diagram of a UE device, e.g., the UE of FIG. 2, configured in accordance with various embodiments to prevent spoofing of a UE by a malicious eNB.

Abbreviation

Various abbreviations can be used in the following description and collected here for easy reference.

3GPP: Third Generation Partnership Project

eNB: eNode B

EPS: Evolved Packet System

EMM: EPS Mobility Management

IMSI: International Mobile Subscriber Identity

IMEI: International Mobile Equipment Identity

GUTI: Globally Unique Temporary Identifier

GSM: Global System for Mobile Communication

HSS: Home Subscriber Server

LTE: Long Term Evolution

ME: Mobile Equipment

MME: Mobility Management Entity

PLMN: Public Land Mobile Network

RAN: Radio Access Network (RAN)

SID: Subscription Identification

TA: Tracking Area

TMSI: Temporary Mobile Subscriber Identity < RTI ID = 0.0 >

UE: User Equipment

UMTS: Universal Mobile Telecommunication System (UMTS)

UTRAN: UMTS Terrestrial Radio Access Network (UMTS)

Various embodiments are now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more embodiments. It may be evident, however, that such embodiments may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more embodiments.

A fake, e. G. Malicious, eNode B (eNB) base station may indicate itself to the UE device as an active base station and may attract the UE to connect to the false eNB. For example, the fake eNB may identify itself as a normal eNB that belongs to the public mobile network (PLMN) ID for advertising. Such an operation by a false eNB may be referred to herein as a "spoofing attack ", more simply" spoofing "and the like. A spoofing attack can generally mean a situation in which a person or program gains an illegal gain by successfully masquerading as someone else by manipulating the data. In the present situation, a false eNB tries to gain an eNB by representing itself as a legitimate eNB.

The UE typically uses its own subscriber identifier (SID), such as an International Mobile Subscriber Identity (IMSI) or a Temporary Mobile Subscriber Identity (TMSI), to access the serving RAN over the eNB for service . This eNB may be referred to herein as an "initial" eNB, which may or may not be a legitimate eNB. The RAN includes a mobility management entity (MME) that is capable of retrieving authentication and authentication vectors for serving accessing UEs from a home subscriber server (HSS) using SIDs provided in legitimate access transactions. If it is determined that the UE subscription is valid and authenticated, then the MME proceeds to authenticate the UE, including verifying whether the UE processes the requested subscription key. If authentication is successful, both the UE and the serving network establish a secure session.

In some cases, the RAN may fail to obtain an authentication vector to connect to the HSS or authenticate the UE, receive an authentication rejection, or may not be able to provide the service for some other reason. In this situation, the MME responds to the UE with an appropriate error code referred to as an EPS mobility management (EMM) cause value or an EMM error code. Some EMM Cause values may allow the UE to effectively lock itself out of further attempts to connect. These EMM cause values may be referred to herein as lockout codes. For example, the locked state of the UE may continue until the UE is reset by cycling power. A false eNB may use this mode of operation to potentially impair the ability of a user to communicate by locking one or more UEs within the scope of a false eNB and potentially affect public safety.

Various embodiments may prevent such spoofing by a false eNB by configuring the UE to ignore the lock code if the lock code is not acknowledged by the second different (confirm) eNB. In some embodiments, the second eNB should be located in a different tracking area than the initial eNB. Only if the lock code is verified by the second eNB will the UE lock itself out of further attempts to connect to the RAN.

Figure 1 illustrates a network 100 that includes a UE 110, three eNBs 120, 130 and 140, and a network 160, e.g., a UTRAN. The network 160 may be configured to provide an evolved packet core (EPC) network and / or a global system for mobile communications (GSM) and / or a universal mobile telecommunications system (UMTS) network. The network 160 may include various components, for example, the MME 165 and the HSS 170. The eNBs 120 and 130 are shown sharing the same tracking area 175 and the eNB 140 is shown in a second, different tracking area 180. Those skilled in the art will recognize that the tracking area TA is typically a geographic or logical area that includes a plurality of neighboring cells. The TA may be used, for example, to track UEs in idle mode at granularities greater than the cell level.

Figure 1 also includes a false eNB 150. In the event that the UE 110 attempts to connect to the network 160, the false eNB 150 may be in any configuration that can mimic the operation of a legitimate eNB, such as any one of the eNBs 120, 130, Electronic device. The false eNB 150 may be used by malicious entities and may interfere with wireless communication within the local area, for example, as a joke or as a criminal act. This disturbance may be temporary and may not cause any physical damage to any actor communicating over the network 160, but may, for example, cause economic disruption or interfere with law enforcement or emergency service response .

More specifically, the false eNB 150 may itself represent a PLMN ID belonging to a valid operator and a locally stronger radio signal than the closest legitimate eNB. Accordingly, the UE 110 can recognize the false eNB as a legitimate eNB and send a connection request message to the false eNB 150. [ The false eNB 150 may then return an EMM error code that causes the UE 110 to enter the locked mode even if the eNB owns a valid network subscription. Since the messages containing these codes are sent before the authentication is initiated, they can not be signed by the network to prove their validity because there is no secure connection between the UE and the serving system yet. Therefore, current 3GPP technical standards do not protect against such attacks.

FIG. 2 shows a high-level schematic diagram of the UE 110 of FIG. The UE 110 may or may be any device configured to communicate with a wireless communication network that generally conforms to a standard collectively defining a 3GPP Long Term Evolution (LTE) network. For example, UE 110 may be a mobile phone, smartphone, tablet computer, laptop computer, or individual unit (e.g., a "wireless dongle") that may be coupled to such a device to provide 3GPP LTE communication functionality Can be implemented. UE 110 includes a processor 110a configured to communicate locally with memory 110b and transceiver 110c. By "locally communicating" it is meant that the processor 110a is configured to communicate with the memory 110b and the transceiver 110c without air gaps, for example, by direct ohmic connections such as wires, circuit boards, and the like . Transceiver 110c is also coupled to antenna 110d. Memory 110b includes instructions, for example, programs that, when executed by processor 110a, configure processor 110a to perform the various operations described in the embodiments herein. Processor 110a communicates with transceiver 110c to transmit and / or receive message and / or packet data to an eNB, e.g., eNB 120, 130 and 140 of FIG.

FIG. 3 shows a conventional method 300 in which a UE may attempt to authenticate to a RAN via an eNB, an MME, and an HSS. In the illustrated embodiment, the request for access by the UE is rejected. In the first step 3-1, the UE sends a connection request message to the eNB establishing secure communication to obtain secure access to the RAN. In step 3-2, the eNB forwards the connection request to the MME. In step 3-3, the MME attempts to authenticate the eNB by passing the identity credentials provided by the eNB to the HSS. Such credentials may include, for example, IMSI, IMEI, or globally unique temporary identifiers (GUTIs). In step 3-4, the HSS accesses the subscription record for the provided identity credentials and determines the associated valid subscription. Once the validation record is obtained, the HSS also generates a valid authentication (Auth) vector for the UE and returns them to the MME in step 3-5. Steps 3-3 to 3-5 are typical in some conventional implementations, but may be omitted in some cases. If the HSS returns an EMM error code due to one of the reasons described in the relevant standard, instead the HSS returns this code to the MME in steps 3-5 (see 3GPP TS 24.301, incorporated herein by reference). In the illustrated example where the EMM error code is returned by the HSS, the MME also determines the appropriate action of the UE based on the response in steps 3-6, and also sends a connection response containing the EMM error code in step 3-7 to the eNB Lt; / RTI > The eNB also sends a connection response containing the EMM error code to the UE in step 3-8. In step 3-9, if the EMM error code is one of those specified in 3GPP TS 24.301, the UE becomes the previously described locked state. For example, this standard provides three "lock codes". Code # 3 indicates that the UE is an "illegal UE", code # 6 indicates "illegal ME" (ME refers to "mobile equipment"), code # 8 indicates "EPS service and non- Not ".

FIG. 4 illustrates a scenario in which a false, e. G., Malicious eNB 420 may spoof a conventional UE 410 by, for example, mimicking a legitimate eNB. In step 4-1, the UE 410 sends a connection request to the false eNB 420. In step 4-2, the false eNB 420 generates a message containing an EMM error code to be sent to the UE 410. [ The EMM error code may be, for example, a lock code. The fake eNB 420, in the illustrated example, does not and does not interact with any appropriate network elements typically needed to authenticate the UE. The false eNB 420 returns, in step 4-4, a connection response including an EMM error code, such as the lock code described above. The UE 410 is then locked in response to the lock code. Note that the fake eNB 420 only needs to have the resources needed to communicate with the UE 410 and returns an EMM error code. Thus, a false eNB may be smaller than a legitimate eNB, and since it is less power consuming, it may be unwittingly distributed by a malicious actor. Also, depending on the type of identity provided by the UE 410 in the connection request, the false eNB 420 may direct an attack on one or more selected groups of UEs operating within the scope of the false eNB 420 .

5 illustrates a method 500 in accordance with various embodiments in which an eNB may defeat the risks provided by a false eNB. This figure refers to the UE 110, the eNB 120 (eNB1), the eNB 130 (eNB2), the MME 165 and the HSS 170 of FIG. The eNB 120 and the eNB 130 share the same PLMN ID. ENB 130 may be replaced by eNB 140 in some embodiments, as discussed below in the context of FIG.

In method 500, the first eight steps 5-1 through 5-8 of method 500 are directly similar to steps 3-1 through 3-8 of method 300. Thus, steps 5-1 through 5-8 may be conventional, but need not be. For example, these steps may comply with future revisions of applicable 3GPP standards. Although the transactions depicted between the MME 165 and the HSS 170, e.g., steps 5-3 through 5-6 and steps 5-12 through 5-15, are shown by way of example, they may be omitted in some embodiments .

In steps 5-9, the behavior of the UE 110 is different from the conventional UE. In the illustrated embodiment, the UE 110 stores the EMM error code received in the connection response and the ID of the eNB 120. The UE 110 also moves to the coverage of the second eNB 130 (eNB2). In step 5-10, the UE 110 repeats the connection procedure with the eNB2 130. [ Thus, steps 5-10, 5-11, 5-12, 5-13, 5-14, 5-15, 5-16 and 5-17 are performed as described for each of steps 5-1 through 5-8 .

In particular, the UE 110 receives a connection response message initiated from the MME 165, which may include an EMM error code, in steps 5-17. In step 5-18, the UE 110 selects a response determined by the connection response message. In some cases, the connection response does not include an EMM error code, and the UE 110 completes the connection to the network. In some other cases, the connection response includes the same EMM error code as received and stored by the UE 110 in step 5-9. In this case, the UE 110 can determine if a valid locking condition exists and is locked if it exists. In yet another alternative case, the connection response includes an EMM error code different from that received and stored by the UE 110 in step 5-9. In this case, the UE 110 may selectively ignore the second EMM error code, repeat the connection procedure with the eNB 120, repeat the connection procedure with the third eNB sharing the same PLMN ID, . In some embodiments, the third eNB may be located in a different tracking area, e. G., The tracking area 180, as the eNB 120, 130, as will be described further below.

FIG. 6 shows a flow diagram form of a method 600 of operation of an apparatus, for example, UE 110. Although FIG. 6 refers to the elements of FIG. 1 without limitation, it is recognized that an actual wireless communication network typically has a complex topology and includes various UEs and eNBs. Also, while method 600 is described in connection with 3GPP LTE, method 600 may be applicable to future wireless mobile communication standards, e.g., the so-called 5G or 5G wireless standards. The method 600 may be executed by the processor 110a as determined by instructions retrieved from the memory 110b. In a first step 605, the UE initially belongs to the coverage of the first eNB, eNB 120, for example. The first eNB is located in a first tracking area, e.g., tracking area 175, associated with the PLMN ID. Upon recognizing the eNB, the UE sends a connection request message to the eNB 120. This operation is similar to step 5-1 (FIG. 5). In step 610, the UE 110 determines in response to the connection request message whether the received connection response message includes an EMM error code. If not, the method branches to step 615 and completes the network access procedure as defined by the applicable 3GPP LTE standard. If an EMM error code is detected in step 610, the method proceeds to step 620. At this stage, the UE 110 determines whether the received EMM error code is a lock code. If not, the method branches to step 625, where the UE 110 proceeds as specified in the applicable 3GPP LTE standard, e.g., TS 24.301. If a lock code is detected instead, UE 110 in step 630 blocks access to the first eNB, e. G., ENB 120 and scans another eNB. If a second eNB, e.g., eNB 130, is detected, the method proceeds to step 635 to determine whether UE 110 is within the same first tracking area associated with the PLMN ID as the first eNB do. An example of such a case is provided in FIG. 1, where the eNB 120 and the eNB 130 are located in the same tracking area 175. In this case, the method branches to step 640. In step 640, the UE 110 sends a connection request message to the second eNB, eNB 130, for example. This step is similar to steps 5-10 of Fig.

Steps 640, 650, 655, 660, and 665 are as described for each step 605, 610, 615, 620, and 625. In step 670, if the UE 110 detects a lock code in step 660, the UE 110 sends a connection request message to all eNBs in the first tracking area, e.g., the tracking area 175 Stop the thing. Optionally, if the lock code detected in step 660 is the same as the lock code detected in step 620, the method 600 proceeds to step 670 only. After step 670, the method 600 proceeds to step 645.

Step 645, which may also be reached by branching from step 635, is a second tracking area of the PLMN ID, e.g., a third eNB located in the tracking area 180, e.g., eNB 140 ) And the connection procedure. The method 600 also executes steps 675, 680, 685, and 690, as described for each of the steps 650, 655, 660, and 665. In step 695, if the UE 110 detects a lock code in step 685, the UE 110 is locked. Optionally, if the lock code detected in step 685 is the same as the lock code detected in step 620 and / or 660, the method 600 proceeds to step 695 only.

Unless otherwise specified, each numerical value and range should be interpreted as approximation only if preceded by the word "about" or "approximately" the value or range of values.

It will also be appreciated that various changes in the details, materials, and arrangements of the parts described and illustrated to explain the nature of the invention may be performed by those skilled in the art without departing from the scope of the invention as expressed in the following claims.

Use of reference numerals and / or drawing reference labels in the claims is intended to identify one or more possible embodiments of the claimed subject matter to facilitate interpretation of the claims. Such use should not be construed as necessarily limiting the claim to the embodiment shown in the corresponding figures.

The elements of the following method claims are enumerated in a particular order with corresponding labels, but unless the disclosure of the claims implies a particular sequence for implementing some or all of these elements, But are not limited to being implemented in order.

As used herein with respect to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of the phrase "one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, and the separate or alternative embodiments are not necessarily mutually exclusive with the other embodiments. The same applies to the term "embodiment ".

It is also to be understood that the term " connecting, "" connecting," " connected, " Refers to any method known or later developed in the art and, although not required, the intervening of one or more additional elements is contemplated. Conversely, "directly connected "," directly connected "and the like imply that there are no such additional elements.

Embodiments covered by the claims of the present application are limited to (1) possible to this specification and (2) corresponding to the subject matter to be claimed. Embodiments corresponding to non-executable embodiments and non-legal claims are expressly disclaimed even if they are formally included in the claims.

The detailed description and drawings merely illustrate the principles of the invention. Thus, those skilled in the art will appreciate that, although not explicitly described or illustrated herein, various implementations may be devised that implement the principles of the invention and are encompassed within the spirit and scope thereof. Also, all of the examples referred to herein are expressly intended solely for educational purposes that help the reader understand the principles of the invention and the concepts contributed by the inventor to the development of the technology, and the limitations on these specifically mentioned examples and conditions It is interpreted that there is no. In addition, all statements herein reciting principles, aspects and embodiments of the invention, as well as specific examples thereof, are intended to include their equivalents.

The functions of the various elements shown in the figures, including any functional blocks labeled as "processors ", may be provided through the use of dedicated hardware as well as hardware capable of executing software in conjunction with appropriate software. When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. Also, explicit use of the terms "processor" or "controller" should not be construed to refer exclusively to hardware capable of executing software, and implicitly refers to digital signal processor (DSP) hardware, application specific integrated circuits ), Field programmable gate arrays (FPGAs), read only memory (ROM) for software storage, random access memory (RAM), and non-volatile storage. Other hardware-conventional and / or custom-may also be included. Similarly, any switch shown in the figure is merely conceptual. These functions may be performed in conjunction with appropriate computer hardware, through the operation of program logic, through dedicated logic, through program control and interaction of dedicated logic, and certain functions may be implemented in a manner that is more clearly understood from the context It is selectable by the person.

Those skilled in the art will understand that any block diagram herein is indicative of a conceptual illustration of an exemplary circuit that implements the principles of the present invention. Likewise, any flow chart, flow diagram, state transitions, pseudo code, and the like may be substantially represented on a computer readable medium so that the computer or processor, whether or not explicitly shown, It is understood that it represents various processes being executed.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It is understandable that substitution is possible.

Claims (10)

A memory,
A processor configured to execute instructions stored in the memory,
The instructions, when executed,
To receive a first evolved packet system (EPS) mobility management (EMM) access rejection message in response to an attempt to attach to a radio access network (RAN)
To send a connection request to the conforming eNode B, provided that the first connection reject message includes a first EMM error code.
The processor
Device.
The method according to claim 1,
The processor may further comprise:
Receive a second attachment reject message from the acknowledgment eNB,
And configured to enter a locked state, provided that the second connection reject message includes a second EMM error code
Device.
The method according to claim 1,
The first EMM error code includes one of EMM cause value # 3 (illegal UE), # 6 (illegal ME) and # 8 (unauthorized EPS service and non EPS service)
Device.
3. The method of claim 2,
Both the first EMM error code and the second EMM error code include one of EMM cause value # 3 (illegal UE), # 6 (illegal ME) and # 8 (unauthorized EPS service and non EPS service)
Device.
5. The method of claim 4,
The first EMM error code and the second EMM error code are the same error code
Device.
The method according to claim 1,
The processor may further comprise:
After receiving the EMM error code, to block access to the initial eNB that received the EMM error code
Device.
The method according to claim 1,
The processor comprising:
Receives a connection refusal message from the acknowledgment eNB,
Configured to stop sending a connection request to all eNBs in a first tracking area including an initial eNB receiving the EMM error code, provided that the connection reject message includes an EMM error code
Device.
8. The method of claim 7,
Wherein the acknowledgment eNB is a first acknowledgment eNB,
Configured to send a connection request to a second acknowledgment eNB after ceasing to send a message to all eNBs in the first tracking zone
Device.
The method according to claim 1,
The acknowledgment eNB is a first acknowledgment eNB,
The processor may further comprise:
Sending a connection request to the second confirm eNB under the condition that the first confirm eNB is in the same tracking area as the initial eNB,
Configured to cause the access denied message received from the second acknowledgment eNB to be in a locked state, provided that the access denied message includes an EMM error code
Device.
The method according to claim 1,
The processor may further comprise:
And to be in the locked state only under the condition that the acknowledgment eNB is in a second tracking region that is different from the tracking region of the initial eNB that received the EMM error code
Device.

Images